On Fri, 2007-09-21 at 05:22 -0700, [EMAIL PROTECTED] wrote: > Hi all. I'll first state that I'm not a django developer (my only > patch was rejected and that's sad, cause I've learned python only to > make it :( ). Yet I like django, I have started to work with it, for > some experiments, and came to think of something wrong with the way > the templates work, or for the very least the way it's thought we > should use them. > When there's a data presented on the template, we are told to use "| > escape" on the template to escape it. While it's a possible solution > to this problem, I'm not comfortable with my designer taking care of > such major security issue. I don't think the designer should know what > "markdown" is, or even how to convert a "\n" to a "<br />". > I think, that when it's possible, he should get the data, from the > view I've created, all set and ready for use. I can leave it as an > option for the designer to pipe his data, but it shouldn't be a > practice. It shouldn't be the way I'm thought to handle things. > > What do you think?
Search for autoescaping in the archives. We have a solution the is designed and mostly implemented. Needs a little fine-tuning before it lands, but it will be in the tree soon. Regards, Malcolm --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers?hl=en -~----------~----~----~----~------~----~------~--~---
